USN-1010-1: OpenJDK vulnerabilities

Ubuntu Security Notice USN-1010-1

28th October, 2010

openjdk-6, openjdk-6b18 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.10
  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 8.04 LTS

Software description

  • openjdk-6
  • openjdk-6b18

Details

Marsh Ray and Steve Dispensa discovered a flaw in the TLS and
SSLv3 protocols. If an attacker could perform a man in the middle
attack at the start of a TLS connection, the attacker could inject
arbitrary content at the beginning of the user's session. USN-923-1
disabled SSL/TLS renegotiation by default; this update implements
the TLS Renegotiation Indication Extension as defined in RFC 5746,
and thus supports secure renegotiation between updated clients and
servers. (CVE-2009-3555)

It was discovered that the HttpURLConnection class did not validate
request headers set by java applets, which could allow an attacker to
trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3541)

It was discovered that JNDI could leak information that would allow an
attacker to to access information about otherwise-protected internal
network names. (CVE-2010-3548)

It was discovered that HttpURLConnection improperly handled the
"chunked" transfer encoding method, which could allow attackers to
conduct HTTP response splitting attacks. (CVE-2010-3549)

It was discovered that the NetworkInterface class improperly
checked the network "connect" permissions for local network
addresses. This could allow an attacker to read local network
addresses. (CVE-2010-3551)

It was discovered that UIDefault.ProxyLazyValue had unsafe reflection
usage, allowing an attacker to create objects. (CVE-2010-3553)

It was discovered that multiple flaws in the CORBA reflection
implementation could allow an attacker to execute arbitrary code by
misusing permissions granted to certain system objects. (CVE-2010-3554)

It was discovered that unspecified flaws in the Swing library could
allow untrusted applications to modify the behavior and state of
certain JDK classes. (CVE-2010-3557)

It was discovered that the privileged accept method of the ServerSocket
class in the CORBA implementation allowed it to receive connections
from any host, instead of just the host of the current connection.
An attacker could use this flaw to bypass restrictions defined by
network permissions. (CVE-2010-3561)

It was discovered that there exists a double free in java's
indexColorModel that could allow an attacker to cause an applet
or application to crash, or possibly execute arbitrary code
with the privilege of the user running the java applet or
application. (CVE-2010-3562)

It was discovered that the Kerberos implementation improperly checked
AP-REQ requests, which could allow an attacker to cause a denial of
service against the receiving JVM. (CVE-2010-3564)

It was discovered that improper checks of unspecified image metadata in
JPEGImageWriter.writeImage of the imageio API could allow an attacker
to execute arbitrary code with the privileges of the user running a
java applet or application. (CVE-2010-3565)

It was discovered that an unspecified vulnerability in the ICC
profile handling code could allow an attacker to execute arbitrary
code with the privileges of the user running a java applet or
application. (CVE-2010-3566)

It was discovered that a miscalculation in the OpenType font rendering
implementation would allow out-of-bounds memory access. This could
allow an attacker to execute arbitrary code with the privileges of
the user running a java application. (CVE-2010-3567)

It was discovered that an unspecified race condition in the way
objects were deserialized could allow an attacker to cause an applet
or application to misuse the privileges of the user running the java
applet or application. (CVE-2010-3568)

It was discovered that the defaultReadObject of the Serialization
API could be tricked into setting a volatile field multiple times.
This could allow an attacker to execute arbitrary code with the
privileges of the user running a java applet or application.
(CVE-2010-3569)

It was discovered that the HttpURLConnection class did not validate
request headers set by java applets, which could allow an attacker to
trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3573)

It was discovered that the HttpURLConnection class improperly checked
whether the calling code was granted the "allowHttpTrace" permission,
allowing an attacker to create HTTP TRACE requests. (CVE-2010-3574)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 10.10:
openjdk-6-jre-headless 6b18-1.8.2-4ubuntu1
icedtea6-plugin 6b18-1.8.2-4ubuntu1
openjdk-6-jdk 6b18-1.8.2-4ubuntu1
openjdk-6-jre 6b18-1.8.2-4ubuntu1
Ubuntu 10.04 LTS:
openjdk-6-jre-headless 6b18-1.8.2-4ubuntu2
icedtea6-plugin 6b18-1.8.2-4ubuntu2
openjdk-6-jdk 6b18-1.8.2-4ubuntu2
openjdk-6-jre 6b18-1.8.2-4ubuntu2
Ubuntu 9.10:
openjdk-6-jre-headless 6b18-1.8.2-4ubuntu1~9.10.1
icedtea6-plugin 6b18-1.8.2-4ubuntu1~9.10.1
openjdk-6-jdk 6b18-1.8.2-4ubuntu1~9.10.1
openjdk-6-jre 6b18-1.8.2-4ubuntu1~9.10.1
Ubuntu 8.04 LTS:
openjdk-6-jre-headless 6b18-1.8.2-4ubuntu1~8.04.1
icedtea6-plugin 6b18-1.8.2-4ubuntu1~8.04.1
openjdk-6-jdk 6b18-1.8.2-4ubuntu1~8.04.1
openjdk-6-jre 6b18-1.8.2-4ubuntu1~8.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.

References

CVE-2009-3555, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3557, CVE-2010-3561, CVE-2010-3562, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3573, CVE-2010-3574